FIPS 140-2 validation for SurePassID G-Pass keyfob for AWS GovCloud

We have received a few inquiries regarding whether our G-Pass TOTP keyfobs available on are for use with AWS GovCloud accounts (only) and thought we would clarify when it comes to FIPS 140-2 validation.

The FIPS support referred to on our website is regarding our Authentication Server where we can deploy, when required, a Hardware Security Module (HSM) to protect the keys of the OATH OTP tokens that would be hosted on our server side. The HSM unit is FIPS certified which will protect the secret keys under that scenario. This does not apply to our G-Pass tokens.

Regarding the OATH TOTP G-Pass tokens, it is our understanding that OATH TOTP tokens do not fall under the FIPS requirements because they are not based on key pair or PKI technology which requires the use of crypto modules on the token to protect the private key. There is no private key that requires a crypto module on the SurePassID G-Pass tokens.

Here is an excerpt from an RSA article regarding the TOTP type of tokens:

“In general, FIPS 140-2 is not applicable to hardware OTP devices as cryptography is not used here in the traditional sense. Some people have pointed to the FIPS 140-2 requirement around random number generation (RNG), but [SurePassID] does not use RNG in this way (SurePassID token OTPs can't be a random number or there would be no way for token and server to derive the same value). Others have pointed out the FIPS requirement for performing a Power-On Self Test (POST). Unlike an event-based token that is "powered on" with each button press, however, [SurePassID] time-based tokens are always on and are therefore not subject to this requirement. It is worth noting that RSA [and SurePassID tokens] does perform an initial POST in manufacturing when the token is first powered on and programmed.”

The G-Pass tokens are tamper-resistant and conform to all other OATH standards for TOTP tokens, and are used in various government agencies and contractors where FIPS compliance is required for other types of PKI, PIV, and CAC credentials that are based on "smart card" or "smart chip" cryptographic modules.

If you need more information, send an email to or call us at (888) 200-8144 to speak with a SurePassID Solution Advisor.